Normally it's a better practice to inform the site owner about a possible bug on their website and ONLY release it to public 'after' the owners have fixed it. You can also file cert advisories so that other webmasters using the software can get security patches.

What you did in this case was probably not the right way to expose the vulnerability. I am happy to know that you were curious enough to try the XSS vulnerability but making it public was not the best step.

6 February, 2009, 15:03 PM

Hellas

check this out
but dont login

Code:

http://forums.digitalpolnt.com/

watch for l in point.

6 February, 2009, 15:11 PM

jangkrikjr

Cool tips. But I don't wan't try it

6 February, 2009, 17:41 PM

Shawn

I got a laugh out of it. If someone did that too my forum and it wasn't anything bad like p0rn, I would have used it to improve the security and not have banned the poster/hacker.

To think that if you were to get ticked off now, you could make it worse on them, if you were a corrupt hacker.

6 February, 2009, 17:42 PM

Shawn

Quote:

Originally Posted by Hellas

check this out
but dont login

Code:

http://forums.digitalpolnt.com/

watch for l in point.

What was your point?

Oh, I see, I will go visit.... or maybe not.... probably loads a virus if I did.

6 February, 2009, 19:24 PM

stickycarrots

lol...that is awesome :)

6 February, 2009, 19:37 PM

epidemic

I had one trying it on my old website once, if you use mysql_real_escape_string () youll be fine with any type of injection, it being js or sql

6 February, 2009, 20:16 PM

LogicFlux

Funny. I'm surprised that vulnerability exists, even in a version that's a year and a half old.

7 February, 2009, 03:42 AM

Mike Dammann

That place is like a hen house with no roosters. The mod chat has to be pure comedy with everyone trying to figure these things out.